In a big step toward securing critical information systems, such as medical records in clinical settings, Dartmouth researchers have created a new approach to computer security. The methodology authenticates users continuously while they are using a terminal and automatically logs them out when they leave or when someone else steps in to use the terminal.
Dartmouth’s Trustworthy Health and Wellness (THaW) researchers presented their findings at the IEEE Symposium on Security & Privacy earlier this year in San Jose, Calif. THaW is a $10 million research effort funded by the National Science Foundation, with Dartmouth as the lead institution.
“In this work, we focused on the de-authentication problem for desktop computers because we were motivated by associated problems faced by healthcare professionals in hospitals,” says David Kotz ’86, the Champion International Professor in the Department of Computer Science and associate dean of faculty for the sciences. Kotz, a member of the Institute for Security, Technology, and Society (ISTS), is the study’s senior author and the principal investigator on THaW.
Common authentication methods based on passwords, tokens or fingerprints perform one-time authentication and rely on users to log out from the computer terminal when they leave. But users often do not log out, which presents a security risk. The most common solutions—inactivity timeouts—inevitably fail security (too long a timeout) or usability (too short a timeout) requirements.
One solution is to authenticate users continuously while they are using the terminal and automatically log them out when they leave. Shrirang Mare, a Dartmouth computer science PhD student, has developed an approach called Bilateral Recurring Authentication Conducted Effortless, or BRACE. A user wears a bracelet with a built-in accelerometer, gyroscope, and radio on his or her dominant wrist; these bracelets are commonly sold as fitness devices.
“We wanted to develop a method that does not require any hardware modification to existing devices and does not rely on a user’s behavior,” says Mare.
When the user interacts with a computer terminal, the bracelet records the person’s wrist movement, processes it and sends it to the terminal. The terminal compares the wrist movement with the input it receives from the user via keyboard and mouse and confirms the continued presence of the user only if the input correlates.
In experiments, BRACE performed continuous authentication with 85 percent accuracy in verifying the correct user and identified all adversaries within 11 seconds. For a different threshold, one that trades security for usability, BRACE correctly verified 90 percent of users and identified all unauthorized operators within 50 seconds. Thus, BRACE recognizes in under a minute an unauthorized person who steps in to use a terminal when the original user has stepped away it.
This kind of quick reaction can prevent mistakes, such as clinical staff accidentally entering information into the wrong patient’s medical record, or inappropriate behavior, such as someone examining personal medical information or financial data by taking advantage of a computer left unattended by an authorized user.
“It would be natural to extend BRACE to mobile devices such as smartphones or tablet computers, and we believe this is possible despite some different challenges,” says Kotz.